Bug #7485

scrub does not properly re-fragment unusual but valid IPv6 fragments, results in overlapping fragments

Added by Jim Pingle almost 4 years ago.

Rules / NAT
Target version:
Start date:
Due date:
% Done:


Estimated time:
Affected Version:
Affected Architecture:


When scrub is enabled, a set of valid fragments can be re-fragmented improperly by scrub when exiting the firewall. Without scrub enabled, the packets are forwarded properly.

A patch for this has already been imported into 2.4, this report is for documentation purposes.

I originally reproduced the reported problem by crafting packets with Scapy, using packets from a submitted capture file as a template. The packets are two fragments of a single TCP SYN.

With scrub disabled:
  • First packet is 8 bytes, marked as bytes 0-7
  • Second packet is 12 bytes, marked as bytes 8-19
With scrub enabled:
  • First packet is 12 bytes, marked as bytes 0-11
  • Second packet is 8 bytes, marked as bytes 8-15

The same problem is present on stock FreeBSD 11 using pf with scrub.

committed a fix to FreeBSD , which Renato imported into 2.4 snapshots and I tested afterward.

The new behavior is valid. The receiver now sees three non-overlapping fragments (8b, 8b, 4b) because the fragment reassembly code re-fragments along the size of the largest fragment, rounded down to the nearest 8-byte multiple. This is done to ensure the firewall does not break PMTUD.

Also available in: Atom PDF